-
Notifications
You must be signed in to change notification settings - Fork 38
Basic Usage
Note: If you installed the app via pip, just replace the ./FuzzingTool.py
to FuzzingTool
The FuzzingTool result class contains the base result information, and also can handle custom information from the plugins.
class Result:
"""The FuzzingTool result handler
Attributes:
index: The index of the result (same as the request index)
payload: The payload used in the request
url: The requested target URL
method: The method used in the request
RTT: The elapsed time on both request and response
requestTime: The elapsed time only for the request
responseTime: The elapsed time only for the response
status: The response HTTP status code
length: The length of the response body content
words: The quantitty of words in the response body
lines: The quantity of lines in the response body
custom: A dictionary to store custom data from the plugins
response: The raw response object
"""
Every scanner does a match analysis on FuzzingTool result before any other specific scan.
You can match results based on response: status code -Mc
, length -Ms
and elapsed time -Mt
.
Match by status code: Set a single, a list, or a range of status code to match.
-Mc 500 # Set only status code 500
-Mc 200,301,302 # Set a list of status codes; including 200, 301 and 302
-Mc 500-600 # Set a range of status codes; 500 <= status <= 600
-Mc 200,301,302,500-600 # Combination of the previous examples
Match by length: Set a length to match (in bytes)
-Ms 1000 # Set the response size to match greater than 1000 bytes
Match by elapsed time: Set a time (RTT) to match (in seconds)
-Mt 30 # Set the request+response elapsed time to match greater than 30 seconds
Combine match options to perform a precise analysis.
$ ./FuzzingTool.py -u https://mydomainexample.com/post.php?id= -w ~/wordlists/sqli.txt -Mc 500 -Mt 20 -t 50
With setting a status code to blacklist, you avoid the FuzzingTool to keep doing fuzzing tests when a unwanted status is detected.
--blacklist-status STATUS:ACTION
# Available actions: skip | wait
--blacklist-status STATUS:skip # Skips the current target
--blacklist-status STATUS:wait=SECONDS # Pause the app for some seconds
For example, if you don't want to stress the server or cause internal errors, just skip the current target when detecting code 500:
--blacklist-status 500:skip
Another example, if the server rejects your requests (status 429) you can pause the app for some seconds:
--blacklist-status 429:wait=300 # Will wait for 5 minutes before resume the app
For multiple status codes, just separate them with a comma:
--blacklist-status 429,500:skip
The DataScanner is the default scanner for DataFuzzing type of fuzzing. This scanner add the payload length attribute for the result:
result._custom['PayloadLength'] = payloadLength
The PathScanner is the default scanner for URL PathFuzzing type of fuzzing. This scanner add the redirected attribute for the result:
result._custom['redirected'] = redirected
The SubdomainScanner is the default scanner for URL SubdomainFuzzing type of fuzzing. This scanner add the target ip attribute for the result:
result._custom['ip'] = targetIp
The file dictionary build the wordlist based on a file.
-w ~/example/directory/wordlist.txt
Example:
./FuzzingTool.py -u https://$.domain.com/ -w ~/wordlists/subdomains.csv
The list dictionary build the wordlist based on a payload list gived in the terminal.
-w [payload1,payload2,...]
Example:
./FuzzingTool.py -u https://$.domain.com/ -w [cpanel,admin,wp-admin,mail]
You can set a range (integer or alphabet) inside or outside of a payload. Only accepts one range per payload. For example:
-w [0-10] # Produces [0, 1, 2, 3, ..., 10]
-w [a-z] # Produces [a, b, c, d, ..., z]
-w [PAY0-10LOAD] # Produces [PAY0LOAD, PAY1LOAD, PAY2LOAD, ..., PAY10LOAD]
-w ['PAY\-LOAD'] # Produces [PAY-LOAD]
-w [init, 0-10, end1, end2] # Produces [init, 0, 1, 2, 3, ..., 10, end1, end2]